The collapse of the Internet and of mobile phone networks as Hurricane Sandy hit New York and New Jersey mirrors that when Katrina hit New Orleans. Trust is earned by those who deliver whatever the circumstances. The struggles of those who sought to keep their New York services going last week illustrate what that can mean. But how many "best efforts" services fall well short - and what are the implications as we move towards the always-on world of ubiquitous computing and the Internet of Things.
Widespread publicity for security compromises and the scale of on-line impersonation and fraud have led to a crisis of confidence in the on-line world in parallel with that in financial institutions as a result of the banking crisis and the scandals that have accompanied it. The financial crisis can be seen as a failure of information governance. The systemic weaknesses which enable criminals to organise computer assisted fraud arise from similar failures of technology governance. Such failures cross professional, cultural and regulatory boundaries. Now add the effects of the collapse of on-line banking and transaction systems, mobile phone networks, search engines or cloud services for hours, or even day on end when faced by fire, flood , severed cables or even simple digititis (finger trouble) let alone major denial of service attacks .
Back in August I blogged on plans for a competition on "the meaning of trust in the on-line world" . The Ethical and Security panels of the IT Livery Company have now held two linked round tables (one each)
By the end of the second meeting we had turned the question on its head: how do we enhance trust in the online world, given that we cannot (and probably will never) agree what trust actually or how it is gained across a truly multi-cultural and socially inclusive Internet - where most users do not accept the values of the Starship Enterprise
We also agreed that this is not a one off exercise and had turned our plans into a pilot for a three year project - which might well be extended if successful. The draft definition of "success" for the pilot being:
- Universities enhancing industry partnerships with participating employers
- Students earning apprenticeships/internships/posts with employers they would not have considered
- Good ideas for helping enhance the competitiveness of the UK/EU (we should not neglect the need to bring about attitudinal change among those who set the EU regulatory frameworks within which we operate) as a base of choice for globally trusted on-line products and services
- Participants ready and willing to work together to build on what has been learned.
We are now galloping to get the pilot under way in time for the thousand or so masters students likely to produce relevant dissertations to attract support from potential employers. The first stage includes rephrasing and publicising the high level "question" because Masters students are expected to set their own questions and the issues can be addressed from a variety of perspectives, technical, behavioural, legal, ethical and cultural. More-over the supporters of the exercise have different objectives and the key to "success" will be to exploit the overlap so that these can be achieved at the same time as generating research and recommendations that will help bring about changes in attitudes and priorities and lead to effective action.
The framework below is therefore intended to stimulate discussion and thought. It is not intended to be the list of questions that the entrants agree with their supervisors and supporters.
The core question (dodged by almost all who look at the issues) is:
How do we bring about attitudinal and behavioural change: including by using technology to make it easier to follow good practice and harder to follow bad practice etc.?
Awareness and education programmes? Regulatory or compliance regimes? Civil or criminal law? Publicity? What are the roles of industry players, professional bodies, trade associations, self-regulators, statutory regulators, governments, auditors. Insurers? What are the roles of the technology and people processes in facilitating security, privacy, good practice, trust, by design/default?
The second question, at the heart of the original motivation for the competition is:
How do we enhance trust in the London, the UK as a location for globally trusted services and reap the rewards.
What is the role, if any, of the EU? How does improving on-line trust fit into the overarching objective of improving trust in the City/UK plc? Who (Financial Institutions, Government, Regulator, Professional Bodies, Trade Associations, Interest Groups) should do what?
Other high level questions might include:
How do you produce meaningful testing that deals with the claims made for the product or services i.e. not just tick box compliance with an "accreditation"?
Is improving trust that services will not fail (e.g. fire, flood, power or "failed upgrade" bringing down a system or network) more important than routines for reducing the risk of incidents (e.g. known or suspected security breaches)?
How could/should trade-offs between cost, privacy, resilience, reliability and security be handled?
How could/should "trust" be "arbitraged" across identity and transaction systems run by different organisations, in different ways and to different standards?
What is informed choice and informed consent? Does this change according to time/circumstance? Who can be trusted to ensure/record that choice was given, changed or revoked? Can consent be revoked?
There are, however, many subsidiary questions that also need to be addressed,
What is the meaning of Trust?
What are the determinants and components of trust - both on-line and off-line? Is there a difference and if so why? What is the current state of trust "ecosystems", including who trusts whom with their identity and/or personal information. How do we distinguish between exercising trust and being trustworthy. How do you build trust online? How do you rebuild trust after a failure? What about trusted technologies/devices? Is there a difference between trust at the wholesale level (institution to institution) and retail (institution to individual customer)?
What is the meaning of "My word is my bond" in the on-line world?
Who am I? - Issues of identity (personal, legal, etc.), registration, reliance, liability, authorisation, impersonation and anonymity: not only is identification irrelevant to many transactions but some market transactions require anonymity in order to avoid distortion.
What is my word? - Issues of authentication, translation, in a contractual, cultural and legal context. How is trust in "my word" affected by complex and conflicting product and service terms and conditions? Are these meaningful or enforceable? Would standard terms, streamlining, standardisation and harmonisation improve trust?
What is my bond? Issues of responsibility, liability, governance etc. Does civil law, adjudicated in London, provide a better recourse against abuse than criminal law? Legislation covering the City of London Police is different to the rest of the UK. This enables cooperation across legal boundaries which cannot not organised elsewhere. How could/should better use be made of the consequent potential? What about the differences between common, roman, jewish and shariah law (bearing in mind that all are used in London) and their attitudes towards on-line transactions?
What, if anything, is different about the on-line world and why? Multi-cultural, multi-lingual centres like London have been handling transactions between people who never physically meet for centuries. So what really is different: problems, threats and opportunities?
I will not go into the judging criteria in detail save that for round one they are those for a Masters Dissertation: a mix of information collection and analysis in support of an innovative answer to an interesting question. For round two is for presentations by those producing innovative answers which help the competitiveness of UK plc. There may be cash prizes in both rounds but "real" prizes in are the degree and contact with potential employers and/or research sponsors (in Round One) and publicity for student, university and industry supporters in addressing issues of concern to sponsors in (Round Two).
I welcome e-mails (to firstname.lastname@example.org) from employers wishing to enhance their university and identify and support potential recruits. I also welcome e-mails from on-line banking, retailing, transaction, service and security providers who would like to use publicity for their participation to demonstrate that they take the protection of their customers and those in their supply chains seriously and also wish to ensure that the UK is a globally competitive base for themselves and their most reputable competitors.
I should perhaps add that I personally hope that most of the latter will also decide to join the Digital Policy Alliance with a view to using the material and ideas that emerge to help bulldoze out of the way the UK/EU regulatory overheads that do nothing to enhance trust and drive on-line transactions off-shore and out of the EU.